Report of the Internal Auditor on Internal Audit Activities

Council 2016

Geneva, 25 May-2 June 2016

Agenda item: ADM 10 Document C16/44-E 12 April 2016 Original: English

Report by the Secretary-General

REPORT OF THE INTERNAL AUDITOR ON INTERNAL AUDIT ACTIVITIES

Summary This report covers the internal audit activities for the period between March 2015 and February 2016. Action required This report is transmitted to the Council for consideration. ______References ITU Financial Regulations and Rules (2010), Article 29

Introduction 1. This report is transmitted to the Council and responds to Article 29 of the Financial Regulations (2010). In accordance with the ITU Internal Audit charter,1 this report is submitted to the Secretary-General and presented to the Council for consideration. The current report covers activities from the period between March 2015 and February 2016. 2. In 2015, the Internal Audit Unit comprised two professional staff – a P.5 (Head of the Unit) and a temporary P.3 (Internal Auditor). Until May 2015 the general service staff (Audit Assistant) was working on a part-time basis and subsequently on a full-time basis. In September 2015 the incumbent of the temporary Junior Internal Auditor (at P.1 level) left the Union and the recruitment of the fixed term Junior Internal Auditor (at P.2 level) was completed with the incumbent taking up his functions mid-March 2016. Today the Unit consists thus of three professional posts and a full-time general service staff. 3. Internal Audit (IA) confirms that it conducts its audits in accordance with the International Standards for the Professional Practice of Internal Auditing and the Code of Ethics established by the Institute of Internal Auditors2 (IIA), as well as with the provisions of the ITU Internal Audit

1 Service Order 13/09, promulgated by the Secretary-General on 27 June 2013 2 Institute of Internal Auditors, www.theiia.org • http://www.itu.int/council • 2C16/44-E

Charter.3 In addition, IA confirms that, for the period reported on, its staff had no managerial authority over, nor responsibility for, any of the activities audited and did not perform accounting or operational functions within ITU.

Orientation and scope of the internal audit activities 4. The IA plan for 2015 was approved by the Secretary-General in January 2015 and communicated to the External Auditor in an effort to promote efficiency and coordination. The orientation of the audit work was mainly towards the areas of assurance engagements. Two planned audits were not performed in 2015 (one was carried forward to early 2016 and one was cancelled further to the work of the External Auditor on that subject leading to reduced audit risk). 5. IA systematically shares copies of internal audit reports with the ITU External Auditor and with the Independent Management Advisory Committee (IMAC). In accordance with ITU Financial Regulation 29.5, final internal audit reports can be made available to Member States or their designated representatives. Further to the Council’s request to the ITU Secretary-General at its 2015 session, a facilitated mechanism for accessing internal audit reports was presented to the Council Working Group on Financial and Human Resources (at its October 2015 meeting) and immediately thereafter implemented. During the period reported on, no requests for accessing internal audit reports were received via the (new) online mechanism.

Objectives and conclusions of the assurance engagements 6. The objectives of the assurance engagements were to assess (i) the governance aspects of the Union’s operations audited, (ii) the risk management practices and (iii) the effectiveness of (internal) controls. The priority of the recommendations resulting from the audit work is classified according to the impact and likelihood of the deficiency (critical, high, medium, low). 7. Based on the various assurance engagements performed, IA concluded that, overall, the lack of guidance and policies (and communication thereof) would be the most frequently occurring shortcoming. To a lesser extent there were some shortcomings found in the risk assessment (at various levels) to allow the Union’s officials to manage risks adequately. For operations and transactions, internal controls tend to be reasonably effective. Recommendations made to Management are being actioned, with the support of the Secretary-General, and this will further strengthen ITU to fulfil its mandate. 8. The implementation of recommended actions is followed up by IA, as and when required (see also paragraph on follow-up further in this report).

The following assurance engagements have been conducted: A. Audit of travel between ITU/HQ and regional/area offices 9. The purpose of the audit was to assess to what extent travel between ITU/HQ and regional/area offices is – or can be – reduced and replaced by internal electronic working methods, and thus potentially lead to reduced expenses. The audit covered the period 1 January 2012 to 31 December 2014. 10. It was concluded that missions undertaken in the past could be hardly reduced or replaced by internal electronic working methods. A potential area for a remote working method can however be found in training related missions whenever possible. Management commented that BDT had already introduced substantial efficiency and economy measures with respect to travel.

3 Service Order 13/09, promulgated by the Secretary-General on 27 June 2013 3C16/44-E

Overall, findings from the audit provide Reasonable Assurance4 to the Secretary-General that, with respect to travel between ITU/HQ and regional/area offices, internal electronic working methods are adequately deployed and that ITU resources are thus used reasonably economically.

B. Audit of review and possible reduction of grades of vacant posts 11. The purposes of the audit were to assess the post classification process and to what extent reviewed grades of vacant posts had generated savings. The audit also partially covered review and upgrade of posts in order to obtain an exhaustive picture as to the post classification mechanism and the financial impact of upgrading posts. The audit covered the period 1 January 2012 to 31 December 2014. 12. It was concluded that the downgrading of posts in the period 2012-2014 generated 370’728 CHF of annual savings. These are offset by 257’251 CHF of additional annual expenses because of upgraded posts. The classification process is well controlled and the risks of inappropriate justifications for classification purposes are managed leading to sound classification decisions. An improvement is needed in the governance aspect by updating the applicable Service Order. HRMD Management commented that the Service Order is being prepared. 13. Overall, findings from the audit provide Reasonable Assurance to the Secretary-General that, effective controls exist for the classification process and that classification risks are managed. Governance aspects need improvement. IA also concluded that savings were generated by the reduction of grades of vacant posts in 2012-2014.

C. Audit of Treasury and Investment process 14. The purposes of the audit were to: (i) review and assess the internal controls (and reporting) as well as their effectiveness in the processes related to ITU’s investment decisions; (ii) verify the governance process, policies, procedures and regulatory framework; and (iii) assess how risks associated with the investment activities are managed. The audit covered 2012 to 2014 (and slightly into 2015). 15. IA noted positive aspects such as: (i) the availability of sufficient cash on demand to meet expected operating expenses (the audit sample did not reveal any cases of shortage of cash); (ii) double signatures of investment instructions to the banks (no cases of erroneous transactions/faxes were found in the files reviewed); and (iii) no anomalies of incompatible transactions had been found in the files concerning investments. 16. IA’s observations, high priority recommendations, and Management’s comments: (i) A recommendation was made that a procedure for managing the negative interest rates should be put in place and that the forming of an internal advisory group should be considered. Management commented that all the legal and financial implications have to be considered and that a formal procedure on the long term will be prepared and submitted for approval to the Secretary-General;

4 Some weaknesses have been identified in the design and/or operation of controls which could hinder achievement of the objectives of the system, function or process. However, either their impact would not be major or they would be not very likely to occur. 4C16/44-E

(ii) A recommendation was made to work on the reporting mechanism for issuing a cash flow forecast report in order to mitigate a potential risk of lack of instant and/or reactive response to a given situation. Management commented that it took note of the recommendation and that discussions to implement it are underway; (iii) A recommendation was made to complete the implementation of the Cash Management module with all its functionalities and to deliver appropriate training to the users, in order to mitigate a potential risk of errors and reduced efficiency. Management commented that it agreed to the recommendation yet cautioned for implementing oversized applications for ITU; (iv)A recommendation was made that e-banking should be the general rule in order to mitigate the risk of erroneous “manual” transactions (by fax). Management commented that it felt that the current procedure is more secure than the electronic one and therefore did not intend to globally implement the recommendation. 17. Overall, for the limited number of annual investment transactions processed, Reasonable Assurance was provided to the Secretary-General that for treasury and investment processes, internal controls, risk management and governance practices are functioning.

D. ITU Internal Regulatory framework (Service Orders) 18. The purpose of the audit had been defined as a review of the accuracy and validity of all Service Orders5 in force to determine whether they are still in line with current regulations and other applicable procedures as well as with best practices. During the preparation phase of the audit, IA was informed that the Chief, Human Resources Management Department (HRMD) had been recently tasked by the Secretary-General to coordinate (and conduct) a review of the Service Orders. IA thus reduced the audit work and issued an Audit Note (i) to describe the work in progress (by relevant colleagues) in this area and (ii) to assess the possible remaining risks. 19. IA concluded that: (i) Review work was being undertaken and, upon completion, the risk of inaccurate internal regulations/administrative instructions would have been mitigated; (ii) The definition of a “Service Order” (and the relation between a Service Order and an Office Memorandum) is adequately laid out in Service Order 00/1; (iii) The role of management is embedded in the process through a number of review mechanisms. The current review exercise, which is being followed up by the Chief, HRMD, the Legal Adviser and by the Library Services is done in close collaboration with the concerned managers. A recommendation was made that close follow-up of the review work should be continued by the coordinating Department (HRMD) as to provide the Secretary-General with assurance that the ITU secretariat has an up-to-date and accurate set of internal regulations for sound and effective governance.

E. Audit of Software Licenses

5 A Service Order is a prescriptive administrative action which constitutes an integral component of the organization's internal legal order and gives rise to rights or obligations for all or some of the staff. A service order may thus, in particular, amend or add to the Staff Rules, add to the Staff Regulations and Financial Regulations, institute administrative or operational procedures or authorize or prohibit an action or mode of conduct. 5C16/44-E

20. The purposes of this audit were; (i) to review and assess the inventory system of software licenses in place; (ii) to assess internal controls to prevent or detect material errors and irregularities as well as to assess whether the policies and guidance provide sufficient guidance to the staff to prevent compliance and economic risk; and (iii) to assess how the Union administers software in compliance with applicable regulations, policies and procedures. The audit covered January 2013 to December 2014. 21. IA’s observations, recommendations and Management’s comments: (i) Additional policies and guidelines as to all types of software should be provided to ITU staff in order to mitigate the potential risk of lack of compliance with respect to software agreements. Management commented that, in case of doubt, users should contact the Legal Affairs Unit to clarify the meaning of clauses contained in said licenses (including those “free for non-commercial use” clauses). (ii) The current inventory process is not optimal. The annual reconciliation between data in SCCM (Information Services Department (ISD) database) and the SAP Software Asset report (FRMD data) should be documented, with a possible increase in the frequency to facilitate the year-end inventory exercise. Management commented that there is a need for the ISD to process the necessary modification if needed, mainly remove software not in use or not anymore supported by IT providers and that the documentation for the yearly software licenses reconciliation exercise would be reviewed and updated. (iii) A report that would enable a sort by product and by cost center in SRM should be established in order to mitigate the risk of incomplete inventory records and of software compliance. The SCCM inventory should be issued in order to reconcile inventory data and the annual software licenses reconciliation should be documented. Management commented that ITU never used detailed product codes (e.g. UNSPSC) that go beyond the very generic Product Categories (formerly Material Groups) used in the SAP ERP system and that license fees are under the generic S341E “Rental – computer systems” which was originally created for real computer rental for Telecom events. Management also commented that this discussion may concern the chart of accounts. (iv)Purchases of software online using the ITU credit card should follow the usual procurement process and should be restricted to a minimum (when no other means of payment can be used) in order to mitigate the economic risk for the Union. The feasibility of integrating purchases by credit card in SRM and the cost effectiveness of this should be determined. Management agreed to the recommendations yet highlighted that it considered the use of credit card purchases already to be at a minimum. (v) IA noted that multi-layer security controls are put in place to minimize the risks for the Union. The alert tool on SCCM for software that may involve a risk in case of downloading individually on users’ computers should however be set up in order to mitigate the compliance and security risk related to administrator rights for user “lambda”. Management commented that it will improve monitoring of what software staff is installing on their individual computers. 22. As a general conclusion, findings from the audit provided Reasonable Assurance to the Secretary-General that ITU internal controls, governance and risk management processes are functioning. IA identified however areas for improvement and risks associated with the inventory and monitoring of software license processes that, if addressed, would reinforce specifically IS processes to increase assurance to the Secretary-General.

F. Audit of Africa Regional and Area Offices 6C16/44-E

23. IA conducted an audit of the Area Offices in Dakar, Senegal and Yaoundé, Cameroon covering the period from January 2013 to June 2015. The objectives of this audit were: (i) to review and assess the host country agreement and policies in place; (ii) to assess to what extent safety and security risks are mitigated as well as to assess to what extent petty cash and bank transactions are supported by adequate guidance and associated risks are mitigated; and (iii) to assess how the Area Offices’ transactions are effectively controlled for compliance with applicable regulations, policies and procedures. 24. One critical issue, namely access (by colleagues) to absent staff’s office in case of emergency or for other business-related reasons, was already partly addressed during the audit visit in the Area Office in Yaoundé and IA was subsequently informed of further measures.

IA’s observations, high priority recommendations, and Management’s comments: (i) Security deficiencies identified during the audit and/or based on the UNDSS reports should be addressed. During the audit, Management already informed IA that this would be dealt with. (ii) A proposal for representation allowances in the Regional and Area Offices should be finalized so that it can be submitted to the Coordination Committee for adoption. Management commented that a draft text has been finalized and is shared for final endorsement before being submitted to the management for approval. 25. Overall, findings from the audit provide Reasonable Assurance that ITU internal controls, governance and risk management processes are functioning. IA identified however areas for improvement and risks associated especially with the safety and security measures in the field and with representation allowance (lack of) that, if addressed, would reinforce specifically ITU field representation and its safety and security.

Implementation of IMAC recommendations pertaining to Internal Audit 26. IMAC performed regular follow-up of the recommendations with respect to the internal audit function and included progress noted in its report to the Secretary-General and in its annual report to the Council. In that context, specific reference is made to the second IMAC report to Council (C13/65, paragraph 3.4) in which it had recommended that “… Internal Audit pursue the commissioning of a peer review to take place preferably by 2014”. Such review took place in January 2015. Though the external validation team expressed the overall opinion that ITU Internal Audit generally conforms to the Standards and Code of Ethics of the IIA, it noted partial conformity with 1 of the 14 IIA Attribute Standards and 5 of the 26 IIA Performance Standards. In the Addendum 2 of its fourth report to Council IMAC endorsed the findings of the external validation team (contained in Document C15/INF/11) and recommended that the Internal Auditor − through the mechanism of the annual report of the Internal Auditor on Internal Audit Activities − reports to the Council in 2016 and subsequent years on action taken and progress made in the implementation of each of the nine recommendations contained in the External Independent Validation of ITU’s IA activity. In the Annex to this report, an overview of the recommendations and IA’s assessment of action taken and progress is thus made available.

Follow-up of internal audit recommendations 7C16/44-E

27. Throughout the period reported on, and in compliance with IIA6 Standard 2500, Internal Audit continued to follow up on recommendations made in previous audit reports. Further progress was noted over the last 12 months and statistics on the implementation are:

Year 2009 2010 2011 2012 2013 2014 2015 Total Number of audit reports 2 3 2 0 4 4 7 22 Recommendations - Total 13 21 17 - 113 55 34 253 In Progress 1 0 1 - 13 20 30 65 Delayed 0 0 2 - 1 5 0 8 Closed 12 21 14 - 99 30 4 180

% of recommendation In Progress 8% 0% 6% - 12% 36% 88% 26% % of recommendations Delayed 0% 0% 12% - 1% 9% 0% 3% % of recommendations Closed 92% 100% 82% - 88% 55% 12% 71%

28. No critical or high importance recommendations from before 2012 were left unimplemented. One of these recommendations is related to the change of an internal approval workflow, which was delayed as it became part of a more holistic review of internal procedures and is in progress and expected to be completed in 2016. The recommendations from 2011 still in progress or delayed concern an internal audit of costing of publications. Management informed Internal Audit (and IMAC) regularly of the progress and the External Auditor had already assessed that some of the recommendations from 2011 were closed. In 2016, Internal Audit continues to monitor the implementation of the various recommendations contained in previous audit reports and will report on this follow-up, as appropriate, to IMAC and to the Secretary-General. Overall, continuous progress is noted, yet very often priorities change and these may affect the degree of importance of initially made recommendations.

Audit methodology related aspects 29. Since 2013, Internal Audit started using Audit Effectiveness Questionnaires which were sent to the audited processes’ and entities’ managers, to assess the effectiveness of the audit work and identify room for improvement. This practice was continued in the period reported on in this document. Based on the 8 questionnaires sent back to Internal Audit in 2015, feedback has been very positive (average score of 4, on a scale from 1 to 5).

______

6 Institute of Internal Auditors, www.theiia.org. 8C16/44-E

Annex 1 to C16/44 FOURTH ANNUAL REPORT OF THE INDEPENDENT MANAGEMENT ADVISORY COMMITTEE (IMAC)

(Source: Addendum 2 to Doc C15/22-E of 13 May 2015)

Recommendation 6 (2015): IMAC therefore endorses the findings of the external validation report and commends them to the Council’s attention. IMAC recommends that the Council request the Secretary-General and the Internal Auditor - through the mechanism of the annual Report of the Internal Auditor on Internal Audit Activities - to report to the Council in 2016 and subsequent years on action taken and progress made in the implementation of each of the nine recommendations contained in the External Independent Validation of ITU’s Internal Audit activity.

EXTERNAL VALIDATION

Status Follow up Remarks as assessed by ITU Management Comment Issue Recommendation (February Internal Audit (May 2015) 2016) (February 2016) 1.1 The IA activity should conduct a risk analysis which should Comment by Internal Audit: Work on the above implemented For IA planning 2016 a risk analysis was done include establishing the audit universe and a risk register, and has already started and further work will be based on an established audit universe, the establish criteria for ensuring that all critical and major risk undertaken for the 2016 audit plan. ITU business processes and the official ITU areas identified in the audit universe are covered within a risk register; 9 criteria for determining the reasonable timeframe (such as within 2-3 years). importance of the components of the audit universe were used. 1.2.a The IA activity should strengthen the work planning process by implemented The audit strategy and approach identifies the including, in the annual programme of work: a) an audit strategy critical and major risks of the audit universe and approach to enable complete coverage of all critical and major risks and to provide reasonable assurance on the effectiveness of controls, risk management and governance processes to the Secretary General and the Council; 1.2.b The IA activity should strengthen the work planning process by implemented The 2016 audit plan contains a description of including, in the annual programme of work: b) a description of the audit universe and the criteria used for the audit universe and the criteria or risk factors used for selecting topics for audits selecting audit projects or topics for audits; Comment by Internal Audit: Work on the above 1.2.c The IA activity should strengthen the work planning process by has already started and further work will be implemented The 2016 audit work plan was drawn up taking including, in the annual programme of work: c) the nature and undertaken for the 2016 audit plan. into account the topics that would be covered extent of coordination with the external auditors (including the list by the External Auditor (as per their draft audit of proposed audits contemplated by the external auditors) and plan received on 18 December 2015) eventual evaluation activities so as to minimize duplication of work and ensure good cooperation and exchange of information; and 1.2.d The IA activity should strengthen the work planning process by implemented The analysis of available (and needed) including, in the annual programme of work: d) an analysis of the resources required to cover all major risk adequacy of resources required to cover all major risk areas areas within an established time frame or within an established time frame or audit cycle. audit cycle was stated in the 2016 audit plan . 1.3 The IA activity should conduct a skill gap analysis so as to Comment by Internal Audit: Work on the above implemented No lack of skills and experience of internal compare the actual and expected collective knowledge, skills and has already started and further work will be audit staff in performance auditing has been experience of internal audit staff in performance auditing that is undertaken for the 2016 audit plan. identified but for the task regarding the required to fulfill its mandate. evaluation function it was highlighted that specialized external resources may need to be called on. 2.1 a The IA activity should further develop audit guidance tools on implemented For each audit, objectives are determined now audit planning and execution (and consider consolidating them in advance based on the risk assessment of into one knowledge management tool such as an audit manual) so the process or item being audited. as to strengthen the capacity of the IA activity to: a) establish audit objectives and scope of each audit engagement following a preliminary assessment of the risks of the activity, process or system under review (auditing the “right things”); 2.1 b The IA activity should further develop audit guidance tools on implemented The Audit Notification that is sent prior to the audit planning and execution (and consider consolidating them beginning of the audit contains the elements into one knowledge management tool such as an audit manual) so such as objectives, scope, purpose, and as to strengthen the capacity of the IA activity to: b) establish a timelines. This had always already been the planning memo that explains how the audit will be executed and case. Further detailed administrative the results communicated to the auditees; and the timelines of the communicaitons with auditees are arranged various phases of the audit; Comment by Internal Audit: The above is being when and as appropriate. implemented as new audits are being conducted 2.1 c The IA activity should further develop audit guidance tools on implemented For each audit objective the list of risks to the and as far as resources permit. audit planning and execution (and consider consolidating them achievement of the objectives of the activity into one knowledge management tool such as an audit manual) so under review, audit criteria (to control each as to strengthen the capacity of the IA activity to: c) develop audit identified risk) and related audit procedures programme that establish for each audit objective the list of risks are determined insofar that these can be done to the achievement of the objectives of the activity under review, at the outset; on various occasions experience audit criteria (to control each identified risk) and related audit has shown that these elements have to be procedures (auditing the “things right”); and altered as the audit progresses. 2.1 d The IA activity should further develop audit guidance tools on implemented This is further developed as audits are audit planning and execution (and consider consolidating them conducted. The contradictory process of into one knowledge management tool such as an audit manual) so confirming factual correctness by the auditees as to strengthen the capacity of the IA activity to: d) ensure work and obtaining management comments are two papers that clearly link for each observation the criteria, the key steps in the audit process that are causes and the consequences; and conclusions against each audit systematically applied. objective. 9C16/44-E

3.1 The IA activity should amend the definitions of the standard audit implemented Most of the internal audit reports issued in opinion to include a conclusion not only on the effectiveness of 2015 are now referring -in the overall audit controls but also on the governance and risk management opinion- to the assurance with respect to practices so as to provide assurance on all aspects of the IA governance, risk management and mandate to senior management of ITU. effectiveness of internal controls. For a few rare cases where the audit had a very specific objective, this would not be applicable or Comment by SG: Depending on the objective of possible. 3.2 The IA activity should strengthen report content by including the audit mandate, the first point will be applied. implemented Each audit report contains in the core part of explicit references to the causes and consequences of audit For the other points in the recommendation, the report explicit reference to the audit observations; and by ensuring recommendations address the root these will be considered during 2015 and for the objective (referring to COSO2013), and causes of problems. annual report in 2016. taylored recommendations to address the root cause. 3.3 The IA activity should include in its annual report to the Council in progress This will be done for the Report to Council the recurrent causes of findings identified in audits carried out 2016 insofar that it would already be possible during that year and the actions taken by ITU to address them based on the audit reports of previous years. (Successful practice). Some findings may not be sufficiently recurrent to be representative. 4.1 ITU Management should consider accelerating the development of Comment by SG: The ITU comprehensive risk- in progress see document CWG-FHR 6/11 for update an ERM system and a consolidated control framework. management framework is being implemented as a fully integral element of the overall strategic and operational planning process. It follows a multi-level risk management approach, which accounts for the overall risk environment faced by ITU overall as well as specific risks faced by the Sectors, Bureaux and General Secretariat, and ensures that specific risks are managed at the most appropriate level with appropriate resources available to implement mitigation measures. 5.1 ITU Management should consider assessing the resource needs of Comment by SG: This assessment will be done implemented This is done at every budget preparation. the IA activity in light of its mandate to provide reasonable on a regular basis. assurance to the Secretary-General on the effectiveness of the organization’s risk management, control and governance processes, and to provide advisory services.